Splunk Session – Notes 2

• Search and Reporting App is one of the applications that comes installed by default in Splunk.
  • Different Tabs
    • Search
      • Search data workspace
    • Analytics
      • Analytics workspace
    • Datasets
      • Shows all saved datasets
    • Reports
      • Shows all saved reports
    • Alerts
      • Shows all saved alerts
    • Dashboards
      • Shows all saved dashboards
• Click on Search and Reporting App in the App Toolbar.
• Creating Tables Views
  • Put a search in the search bar and get the dataset.
  • Click on Create Table view to create a table view. Select the fields and then select save to save the table view
  • While saving the table make sure to set appropriate permissions so that others can access the data without creating the query.
  • All the tables created will be saved in the datasets tab. The other thing that can be done with a table is visualize the data with pivot. Add pivot columns to your data and create graphs accordingly. Change X and Y axis ,set graph type and visualize the data.
• Basic Searching and Dashboards
  • Add the search query into the Search bar.
  • pipe the data with table and add the fields that need to be displayed into that table. This will give the data in a tabular format.
  • Now click on the visualisation tab, a default chart will be prepared for the table data. Change the chart type in the settings. Go to format to change the formatting like setting nulls to 0 or showing values or showing only max and min value.
  • Click save as on the visualisation screen to Dashboard panel. Select dashboard name or provide a new name if you want to create a new dashboard. Also provide the panel name for the dashboard.
  • If you want to add the table into the dashboard then go back to the Statistics tab,then Save As and then provide a Panel Name and select or create Dashboard.
  • To get the AVG instead of table use stats avg(column). Go to visualization select single value chart. Here you’ll have options to change the color of the value to red,amber, green based on the value displayed. You can change caption ,number format in the same options. You can add this as dashboard panel as well.
  • Go to the dashboard. Click edit on the dashboard to move the panels and arrange them in the required format.
• Time formats
  • To change time format, after searching the data put a pipe and eval strftime(fieldname,”time format “) to change the format of time
• Field Extractions
  • Create a search in the Search Bar.
  • Select extract new fields in the Events tab.
  • Select source type
  • Select a sample event and click next
  • Choose Regular Expression or Delimiter
    • If Regular expression we need to highlight the value we need to be identified from the sample string and select field name to be extracted. Click add extraction and see if the results are correct in the same sample data. Name the extraction and set the permissions.
    • If Delimiter then set the delimiters. Splunk attempts to find all the fields based on the delimiter provided. You can rename the field, which are case sensitive. Save the field extraction and provide permissions.
• Intermediate Search
  • Filter | Transform | Present
  • Most popular transforming commands are
    • top
      • Most common values of a given field
      • top <field>
      • Defaults to 10 records
      • Can be combined with limit=<number>
      • Automatically builds the table with count and percent columns
      • Can be used with multiple fields
    • rare
      • Same syntax as top but the opposite of top.
    • stats
      • stats function(field) by fields
      • Basically aggregating the data using count,max,min,avg,stdev,values,list
      • function — Similar to Aggregate function, by field — similar to group by in SQL
    • sort
      • sort -cuser will sort decending
      • sort +cuser will sort ascending